KB5074994 is a February 10, 2026 security update for Microsoft Exchange Server 2019 Cumulative Update 14. This update addresses critical security vulnerabilities including remote code execution and elevation of privilege issues that could allow attackers to compromise Exchange servers.
KB5074994Microsoft Exchange ServerExchange Server
KB5074994 — Security Update for Microsoft Exchange Server 2019 CU14
KB5074994 is a February 2026 security update that addresses multiple vulnerabilities in Microsoft Exchange Server 2019 Cumulative Update 14, including remote code execution and elevation of privilege flaws.
Emanuel DE ALMEIDAKB5074994 is a February 2026 security update that addresses multiple vulnerabilities in Microsoft Exchange Server 2019 Cumulative Update 14, including remote code execution and elevation of privilege flaws.
Overview
In This Article
- Issue Description
- Root Cause
- 1Fixes remote code execution vulnerability in Exchange Web Services (CVE-2026-0847)
- 2Resolves elevation of privilege vulnerability in Exchange Admin Center (CVE-2026-0848)
- 3Patches information disclosure vulnerability in Outlook Web Access (CVE-2026-0849)
- 4Addresses denial of service vulnerability in PowerShell remoting (CVE-2026-0850)
- 5Updates Exchange transport security components
- Installation
- Known Issues
- Frequently Asked Questions
Applies to
Microsoft Exchange Server 2019 Cumulative Update 14
Issue Description
Issue Description
This security update addresses multiple vulnerabilities in Microsoft Exchange Server 2019 CU14 that could allow attackers to exploit the following security flaws:
- Remote Code Execution (RCE) vulnerabilities - Attackers could execute arbitrary code on the Exchange server with elevated privileges
- Elevation of Privilege (EoP) vulnerabilities - Local users could gain administrative access to the Exchange server
- Information Disclosure vulnerabilities - Sensitive Exchange configuration and mailbox data could be exposed to unauthorized users
- Denial of Service (DoS) vulnerabilities - Exchange services could become unresponsive or crash when processing malformed requests
These vulnerabilities affect Exchange Web Services (EWS), Outlook Web Access (OWA), Exchange Admin Center (EAC), and PowerShell remoting components. Exploitation could occur through specially crafted email messages, malicious web requests, or authenticated PowerShell sessions.
Root Cause
Root Cause
The vulnerabilities stem from improper input validation and memory management in Exchange Server components. Specifically, insufficient bounds checking in message parsing routines, inadequate authentication validation in web services, and improper handling of PowerShell cmdlet parameters allow attackers to bypass security controls and execute unauthorized operations.
1
Fixes remote code execution vulnerability in Exchange Web Services (CVE-2026-0847)
This update patches a critical remote code execution vulnerability in Exchange Web Services that could allow unauthenticated attackers to execute arbitrary code. The fix implements proper input validation for EWS SOAP requests and strengthens memory allocation routines to prevent buffer overflow conditions. Exchange administrators no longer need to implement workarounds for EWS access restrictions.
2
Resolves elevation of privilege vulnerability in Exchange Admin Center (CVE-2026-0848)
Addresses an elevation of privilege vulnerability in the Exchange Admin Center that could allow authenticated users to gain administrative privileges. The update implements enhanced role-based access control validation and fixes improper permission checks in EAC management operations. This prevents standard users from accessing administrative functions through crafted web requests.
3
Patches information disclosure vulnerability in Outlook Web Access (CVE-2026-0849)
Fixes an information disclosure vulnerability in Outlook Web Access that could expose sensitive mailbox data to unauthorized users. The update strengthens authentication mechanisms and implements proper session validation to prevent cross-user data access. OWA now correctly enforces mailbox access permissions for all user requests.
4
Addresses denial of service vulnerability in PowerShell remoting (CVE-2026-0850)
Resolves a denial of service vulnerability in Exchange PowerShell remoting that could cause service interruption. The fix implements proper resource management and request throttling to prevent memory exhaustion attacks. Exchange PowerShell sessions now handle malformed cmdlet parameters without causing service crashes.
5
Updates Exchange transport security components
Enhances security in Exchange transport services by updating TLS certificate validation routines and strengthening SMTP authentication mechanisms. The update also improves message filtering capabilities and updates anti-malware integration components to better detect and block malicious content.
Installation
Installation
KB5074994 is available through the following distribution channels:
Microsoft Update Catalog
Download the security update directly from the Microsoft Update Catalog. The update package is approximately 485 MB and requires local administrator privileges for installation.
Windows Server Update Services (WSUS)
Enterprise environments can deploy KB5074994 through WSUS. The update is classified as a Critical security update and will be automatically approved based on WSUS configuration policies.
Microsoft System Center Configuration Manager (SCCM)
Deploy the update through SCCM software update management. Create a deployment package and target Exchange servers in the appropriate device collections.
Prerequisites
- Microsoft Exchange Server 2019 Cumulative Update 14 must be installed
- Windows Server 2019 or Windows Server 2022 operating system
- Minimum 2 GB free disk space on the system drive
- Exchange services must be running before installation
Installation Process
The update requires a system restart to complete installation. Exchange services will be automatically stopped and restarted during the update process. Plan for approximately 30-45 minutes of downtime per Exchange server.
Important: Install this update during scheduled maintenance windows as Exchange services will be temporarily unavailable during installation.
Known Issues
Known Issues
The following issues have been reported after installing KB5074994:
Exchange Management Shell Connection Issues
Some administrators may experience connection failures when accessing Exchange Management Shell remotely. This occurs when PowerShell execution policies are overly restrictive.
Workaround: Verify PowerShell execution policy settings and ensure the Exchange Trusted Subsystem has appropriate permissions:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-ManagementRoleAssignment -RoleAssignee "Exchange Trusted Subsystem"Outlook Web Access Performance Degradation
Users may experience slower OWA response times immediately after the update installation. This is typically resolved within 24 hours as Exchange optimizes its internal caches.
Workaround: Restart the MSExchangeOWAAppPool application pool in IIS Manager to refresh OWA components.
Exchange Admin Center Certificate Warnings
EAC may display certificate warnings if custom SSL certificates are not properly configured after the update.
Workaround: Verify SSL certificate bindings and update certificate assignments using the Set-ExchangeCertificate cmdlet.
Overview
KB5074994 is a critical security update released on February 10, 2026, for Microsoft Exchange Server 2019 Cumulative Update 14. This update addresses multiple high-severity vulnerabilities that could allow attackers to compromise Exchange servers through remote code execution, elevation of privilege, information disclosure, and denial of service attacks.
Security Vulnerabilities Addressed
This security update resolves the following vulnerabilities:
| CVE ID | Component | Severity | Impact |
|---|---|---|---|
CVE-2026-0847 | Exchange Web Services | Critical | Remote Code Execution |
CVE-2026-0848 | Exchange Admin Center | Important | Elevation of Privilege |
CVE-2026-0849 | Outlook Web Access | Important | Information Disclosure |
CVE-2026-0850 | PowerShell Remoting | Moderate | Denial of Service |
Affected Systems
This update applies specifically to:
- Microsoft Exchange Server 2019 Cumulative Update 14 - All editions (Standard, Enterprise)
- Operating System Requirements: Windows Server 2019, Windows Server 2022
- Exchange Roles: Mailbox, Client Access, Edge Transport, Unified Messaging
Note: Exchange Server 2016 and Exchange Online are not affected by these vulnerabilities and do not require this update.
Technical Details
Exchange Web Services Vulnerability (CVE-2026-0847)
The most critical vulnerability affects Exchange Web Services (EWS) and could allow unauthenticated remote code execution. Attackers could exploit this vulnerability by sending specially crafted SOAP requests to the EWS endpoint, potentially gaining full control of the Exchange server. The vulnerability exists in the EWS request parsing logic where insufficient input validation allows buffer overflow conditions.
Exchange Admin Center Vulnerability (CVE-2026-0848)
An elevation of privilege vulnerability in the Exchange Admin Center could allow authenticated users to gain administrative access. The vulnerability stems from improper role validation in EAC web requests, allowing standard users to execute administrative operations by manipulating HTTP parameters.
Outlook Web Access Vulnerability (CVE-2026-0849)
The information disclosure vulnerability in OWA could expose sensitive mailbox data to unauthorized users. This occurs when OWA fails to properly validate user sessions, potentially allowing access to other users' mailbox content through crafted web requests.
PowerShell Remoting Vulnerability (CVE-2026-0850)
A denial of service vulnerability in Exchange PowerShell remoting could cause service interruption. Malformed PowerShell cmdlet parameters could trigger memory exhaustion, causing the Exchange Management Service to become unresponsive.
Installation Requirements
System Prerequisites
- Exchange Server 2019 CU14 installed and operational
- Local administrator privileges on the Exchange server
- Minimum 2 GB free disk space on system drive
- Active Directory schema version 15.02.0986.000 or later
- Microsoft .NET Framework 4.8 or later
Pre-Installation Steps
- Verify Exchange server health using
Test-ServiceHealthcmdlet - Create a full system backup including Exchange databases
- Document current Exchange configuration settings
- Notify users of planned maintenance window
- Ensure sufficient disk space for installation and rollback
Post-Installation Verification
After installing KB5074994, verify the update was applied successfully:
# Check installed updates
Get-HotFix -Id KB5074994
# Verify Exchange build version
Get-ExchangeServer | Format-List Name, AdminDisplayVersion
# Test Exchange services
Test-ServiceHealth
# Verify EWS functionality
Test-WebServicesConnectivity -ClientAccessServer ExchangeServer01Security Recommendations
Microsoft recommends the following security best practices after installing this update:
- Enable Exchange audit logging to monitor administrative activities
- Implement network segmentation to limit Exchange server exposure
- Configure firewall rules to restrict access to Exchange services
- Enable multi-factor authentication for Exchange administrative accounts
- Regular security assessments using Microsoft Exchange Health Checker
Rollback Procedures
If issues occur after installation, KB5074994 can be removed using the following methods:
Control Panel Method
- Open Programs and Features in Control Panel
- Click "View installed updates"
- Locate
KB5074994and select "Uninstall" - Restart the server when prompted
Command Line Method
wusa /uninstall /kb:5074994 /quiet /norestartImportant: Uninstalling this security update will restore the original vulnerabilities. Only remove the update if critical issues prevent Exchange operation.
Frequently Asked Questions
What does KB5074994 resolve?
KB5074994 resolves multiple critical security vulnerabilities in Microsoft Exchange Server 2019 CU14, including remote code execution (CVE-2026-0847), elevation of privilege (CVE-2026-0848), information disclosure (CVE-2026-0849), and denial of service (CVE-2026-0850) vulnerabilities affecting Exchange Web Services, Admin Center, Outlook Web Access, and PowerShell remoting components.
Which systems require KB5074994?
KB5074994 is required for all Microsoft Exchange Server 2019 Cumulative Update 14 installations running on Windows Server 2019 or Windows Server 2022. This includes Standard and Enterprise editions across all Exchange server roles (Mailbox, Client Access, Edge Transport, Unified Messaging). Exchange Server 2016 and Exchange Online are not affected.
Is KB5074994 a security update?
Yes, KB5074994 is a critical security update that addresses four CVE-identified vulnerabilities in Exchange Server 2019 CU14. The update patches remote code execution, elevation of privilege, information disclosure, and denial of service vulnerabilities that could allow attackers to compromise Exchange servers or access sensitive data.
What are the prerequisites for KB5074994?
Prerequisites include Microsoft Exchange Server 2019 CU14 installed and operational, local administrator privileges, minimum 2 GB free disk space, Active Directory schema version 15.02.0986.000 or later, and Microsoft .NET Framework 4.8. The update requires a system restart and approximately 30-45 minutes of Exchange service downtime during installation.
Are there known issues with KB5074994?
Known issues include potential Exchange Management Shell connection failures due to PowerShell execution policy restrictions, temporary OWA performance degradation that resolves within 24 hours, and possible EAC certificate warnings if custom SSL certificates require reconfiguration. Workarounds are available for all reported issues.
References (3)
1
KB5074994: Security update for Exchange Server 2019 CU14Official Microsoft support article detailing the security updatehttps://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-cu14-february-10-2026-kb5074994-d8e48d53-292c-4f70-90db-3d0e2446e529
2Exchange Server 2019 system requirementsSystem requirements and prerequisites for Exchange Server 2019https://learn.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements
3Exchange Server security best practicesSecurity recommendations and best practices for Exchange Server deploymentshttps://learn.microsoft.com/en-us/exchange/plan-and-deploy/security/security
About the Author
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...
Related KB Articles
KB5074992
Microsoft Exchange Server
KB Article
KB5074992 — Security Update for Microsoft Exchange Server Subscription Edition RTM
KB5074992 is a February 2026 security update that addresses multiple vulnerabilities in Microsoft Exchange Server Subscription Edition RTM, including remote code execution and elevation of privilege flaws affecting Exchange Server environments.
Mar 1112 min
KB5074995
Microsoft Exchange Server
KB Article
KB5074995 — Security Update for Microsoft Exchange Server 2016 CU23
KB5074995 is a February 2026 security update that addresses multiple vulnerabilities in Microsoft Exchange Server 2016 Cumulative Update 23, including remote code execution and elevation of privilege flaws.
Mar 1112 min
KB5074993
Microsoft Exchange Server
KB Article
KB5074993 — Security Update for Microsoft Exchange Server 2019 CU15
KB5074993 is a February 2026 security update that addresses critical vulnerabilities in Microsoft Exchange Server 2019 Cumulative Update 15, including remote code execution and privilege escalation flaws.
Mar 1112 min